diff --git a/Dockerfile b/Dockerfile
index fb648cd9e..688b6857c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,26 +19,24 @@ RUN npm run build-ui \
 
 FROM node:24@sha256:5a593d74b632d1c6f816457477b6819760e13624455d587eef0fa418c8d0777b AS production
 
-COPY --from=builder /out/package*.json ./
-COPY --from=builder /out/node_modules/ /app/node_modules/
-COPY --from=builder /out/dist/ /app/dist/
-COPY --from=builder /out/build /app/dist/build/
-COPY proxy.config.json config.schema.json ./
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-
-USER root
+WORKDIR /app
 
-RUN apt-get update && apt-get install -y \
-    git tini \
-    && rm -rf /var/lib/apt/lists/*
+# Install deps and create data dirs once
+RUN apt-get update && apt-get install -y --no-install-recommends git tini \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /app/.data /app/.tmp /app/.remote \
+    && chown 1000:1000 /app /app/.data /app/.tmp /app/.remote
+
+COPY --chown=1000:1000 --from=builder /out/package*.json ./
+COPY --chown=1000:1000 --from=builder /out/node_modules/ ./node_modules/
+COPY --chown=1000:1000 --from=builder /out/dist/ ./dist/
+COPY --chown=1000:1000 --from=builder /out/build ./dist/build/
+COPY --chown=1000:1000 proxy.config.json config.schema.json ./
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 
-RUN mkdir -p /app/.data /app/.tmp /app/.remote \
-    && chown -R 1000:1000 /app
 
 USER 1000
 
-WORKDIR /app
-
 EXPOSE 8080 8000
 
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]